The CHM malware strain that takes user information and distributes it to Korean users was recently found by the AhnLab Security Intelligence Center (ASEC). One type that has been widely dispersed over time is the distributed CHM, which has been available in a number of forms including LNK, DOC, and OneNote. The latest samples revealed a little modification to the operational procedure.

Since weaponized shortcut files can execute malicious code without the target user’s knowledge, hackers take advantage of this vulnerability. Although shortcut files are typically well-known and frequently utilized, they offer an excellent platform for the deployment of malware. Hackers can force victims to expose their systems by using these innocuous shortcuts as a means of getting around security measures.

Technical Analysis

While the full execution cycle still uses numerous scripts to steal keylogger data and user information, some newer samples reveal slight differences in their functionality. When the CHM file is executed, a malicious script that builds and executes Link.ini in “%USERPROFILE%\Links” is launched alongside a help file.

The URL that the Link.ini connects to is now “bootservice.php?query=1” instead of “list.php?query=1,” and it contains a Base64-encoded script. Prior to being decoded and examined, this script collected user data, produced a malicious script file, and registered itself as a service under the path “%USERPROFILE%\AppData\Local\Microsoft\Windows\Temporary Internet Files\OfficeUpdater_[time].ini.” It is set to run automatically every sixty minutes.

Below are the list of information that are collected when the script is executed.

• System Information
  • System owner name
  • Computer manufacturer name
  • Product name
  • System type
  • OS version and build number
  • Available memory size
  • Current processor speed
• List of Files in the Folder
  • C:\Users\[User]\Desktop
  • C:\Users\[User]\Documents
  • C:\Users\[User]\Favorites
  • C:\Users\[User]\AppData\Roaming\Microsoft\Windows\Recent
  • C:\Program Files
  • C:\Program Files(x86)
  • C:\Users\[User]\Downloads
• Information on Currently Running Processes
  • Executed file name
  • ProcessID
  • SessionID
• Anti-malware Information (Code Only, Not Executed)
  • Product name
  • Supplier path
  • Unique identifier
  • Status information

The malicious script is encoded in Base64 and runs at a URL that the service connects to on a regular basis. The original script, “list.php?query=6,” was altered to “bootservice.php?query=6.” This exposes an encoded script that connects to a different URL using PowerShell and the arguments “InfoKey” and encoded data. An encrypted secure string payload is executed by a PowerShell script that is hosted on the URL after it has been decoded.

Since it is now feasible for attackers to hide beneath readily available detectors, the attacker has started to use sophisticated obfuscation techniques that are more complex than the majority of documented occurrences of simpler deobfuscation techniques like decompression or base64. The last decoded payload performs keylogging, storing the clipboard data and keystrokes recorded in ‘%APPDATA%\Microsoft\Windows\Templates\Office_Config.xml’ before transmitting it to the attacker’s server and deleting the file.

Recommendation

1. Keep Software Updated: Regularly update the operating system, applications, and security software. Patches often address vulnerabilities that could be exploited by malware.
2. Use Antivirus and Anti-Malware Software: Install reputable antivirus and anti-malware software. Ensure its up-to-date and set to perform regular scans.
3. Be Cautious with Downloads: Avoid downloading files from untrusted sources or suspicious websites. Verify the legitimacy of files before opening them. If received any unexpected attachments, verify with the sender before opening.
4. Disable Autorun/Autoplay: Disable autorun or autoplay for external devices (USB drives, CDs/DVDs) to prevent automatic execution of malicious code.
5. Enable Firewall: Ensure system’s firewall is enabled. Firewalls help block unauthorized network traffic.
6. Be Skeptical of Email Attachments and Links: Don’t open email attachments or click on links from unknown or suspicious sources. Hover over links to see the actual URL before clicking.
7. Use CHM Files with Caution: CHM files (Compiled HTML Help) can be used maliciously. Be cautious when opening them. If encountered a CHM file from an untrusted source, consider scanning it with an antivirus software before opening.